centos6.2下安装open***
一,系统环境
服务器:centos6.2 x86_64
IP:192.168.0.31
客户端:windows xp
IP:192.168.0.42
二,开始安装
1,检查 tun 是否安装
[[email protected] ~]# modinfo tun filename: /lib/modules/2.6.32-220.el6.x86_64/kernel/drivers/net/tun.ko alias: char-major-10-200 license: GPL author: (C) 1999-2004 Max Krasnyansky <[email protected]> description: Universal TUN/TAP device driver srcversion: 5A72C0DB4EBDF9E4B1D5016 depends: vermagic: 2.6.32-220.el6.x86_64 SMP mod_unload modversions
2,yum安装关联包
yum install -y openssl openssl-devel lzo lzo-devel pam pam-devel
3,解压软件
[[email protected] ~]# tar -zxvf open***-2.2.2.tar.gz
4,进入目录
[[email protected] ~]# cd open***-2.2.2
5,编译安装
[[email protected] open***-2.2.2]# ./configure [[email protected] open***-2.2.2]# make && make install
6,创建配置文件目录
[[email protected] ~]# mkdir /etc/open***
7,拷贝制作证书的目录到配置文件目录中
[[email protected] ~]# cp -R open***-2.2.2/easy-rsa/ /etc/open***/
8,进入目录
[[email protected] ~]# cd /etc/open***/easy-rsa/2.0/
9,编辑vars
[[email protected] ~]# vi vars export KEY_COUNTRY="CN" export KEY_PROVINCE="SHANGHAI" export KEY_CITY="SHANGHAI" export KEY_ORG="LECAKE" export KEY_EMAIL="[email protected]" export [email protected]
10,复制文件
[[email protected] 2.0]# cp openssl-1.0.0.cnf openssl.cnf
11,执行vars文件
[[email protected] 2.0]# . ./vars NOTE: If you run ./clean-all, I will be doing a rm -rf on /etc/open***/easy-rsa/2.0/keys
12,执行clean-all
[[email protected] 2.0]# ./clean-all
13,创建server证书
[[email protected] 2.0]# ./build-ca server Generating a 1024 bit RSA private key ....................++++++ .......................................................++++++ writing new private key to 'ca.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SHANGHAI]: Locality Name (eg, city) [SHANGHAI]: Organization Name (eg, company) [LECAKE]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [changeme]: Name [changeme]: Email Address [[email protected]]:
一路回车下去
14,创建server**
[[email protected] 2.0]# ./build-key-server server Generating a 1024 bit RSA private key ..........++++++ ........++++++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [SHANGHAI]: Locality Name (eg, city) [SHANGHAI]: Organization Name (eg, company) [LECAKE]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [server]: Name [changeme]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SHANGHAI' localityName :PRINTABLE:'SHANGHAI' organizationName :PRINTABLE:'LECAKE' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'server' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 23 23:51:50 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
15,创建client端**
[[email protected] 2.0]# ./build-key client1 Generating a 1024 bit RSA private key ...........................++++++ .++++++ writing new private key to 'client1.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [CN]: Locality Name (eg, city) [SHANGHAI]: Organization Name (eg, company) [LECAKE]: Organizational Unit Name (eg, section) [changeme]: Common Name (eg, your name or your server's hostname) [client1]: Name [changeme]: Email Address [[email protected]]: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: Using configuration from /etc/open***/easy-rsa/2.0/openssl.cnf Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'CN' stateOrProvinceName :PRINTABLE:'SHANGHAI' localityName :PRINTABLE:'SHANGHAI' organizationName :PRINTABLE:'LECAKE' organizationalUnitName:PRINTABLE:'changeme' commonName :PRINTABLE:'client1' name :PRINTABLE:'changeme' emailAddress :IA5STRING:'[email protected]' Certificate is to be certified until Mar 23 23:52:15 2023 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated
16,生成的Diffie-Hellman文件
[[email protected] 2.0]# ./build-dh Generating DH parameters, 1024 bit long safe prime, generator 2 This is going to take a long time ................+...................+.....................+......................+........+.................+..............................................................................+.....+...............................+..............+................+.......+.....................................................+..+...............+.....................................................................+.............................................................................+.........+.......................................+.................................................................................................+...........+..+..................+..........................+...........................................................................+.............................................+.........................+.........................................................................................+................................................................................................................+........+.............+.......................................................................................................+.............................+..+...............................................................................................................................+...............................................................+...........+........................+...................................................+................+.+........................................+......................................................................................................................................+...................................................................................+..........+.....................................................................+.............................+....................................................................................................................................+.....+.............................................................+......................................................................+.........................+............................................................................................................+.....................................................+....................+.+....................+.......................................+.....+.....................................+..........................+........+.............................................................................+..........................................................+...........................+...................................................................................+...............................................................................................+...............+..............................................+.......+.............................................................+....................................+............+..............................................................................................................................................+..................+..+.......................................++*++*++*
17,创建配置文件
[[email protected] open***]# vi /etc/open***/server.conf
#申明本机使用的IP地址,也可以不说明 local 192.168.0.31 #申明使用的端口,默认1194 port 1194 #申明使用的协议,默认使用UDP,如果使用HTTP proxy,必须使用TCP协议 proto udp #申明使用的设备可选tap和tun,tap是二层设备,支持链路层协议。 #tun是ip层的点对点协议,限制稍微多一些,建议使用tun dev tun #Open×××使用的ROOT CA,使用build-ca生成的,用于验证客户是证书是否合法 ca /etc/open***/keys/ca.crt #Server使用的证书文件 cert /etc/open***/keys/server.crt #Server使用的证书对应的key,注意文件的权限,防止被盗 key /etc/open***/keys/server.key # This file should be kept secret #上面提到的生成的Diffie-Hellman文件 dh /etc/open***/keys/dh1024.pem #客户端使用的地址、子网掩码 server 10.8.0.0 255.255.255.0 #用于记录某个Client获得的IP地址,类似于dhcpd.lease文件, #防止open***重新启动后“忘记”Client曾经使用过的IP地址 ifconfig-pool-persist ipp.txt #DHCP的一些选项,具体查看Manual push “dhcp-option DNS 192.168.0.12" push “dhcp-option DNS 8.8.8.8" #通过××× Server往Client push路由,client通过pull指令获得Server push的所有选项并应用 push "route 10.8.0.0 255.255.255.0" #如果可以让××× Client之间相互访问直接通过open***程序转发, #不用发送到tun或者tap设备后重新转发,优化Client to Client的访问效率 client-to-client #如果Client使用的CA的Common Name有重复了,或者说客户都使用相同的CA #和keys连接×××,一定要打开这个选项,否则只允许一个人连接××× duplicate-cn #定义最大连接数 max-clients 10 #NAT后面使用×××,如果×××长时间不通信,NAT Session可能会失效, #导致×××连接丢失,为防止之类事情的发生,keepalive提供一个类似于ping的机制, #下面表示每10秒通过×××的Control通道ping对方,如果连续120秒无法ping通, #认为连接丢失,并重新启动×××,重新连接 #(对于mode server模式下的open***不会重新连接)。 keepalive 10 120 #对数据进行压缩,注意Server和Client一致 comp-lzo #通过keepalive检测超时后,重新启动×××,不重新读取keys,保留第一次使用的keys persist-key #通过keepalive检测超时后,重新启动×××,一直保持tun或者tap设备是linkup的, #否则网络连接会先linkdown然后linkup persist-tun #定期把open***的一些状态信息写到文件中,以便自己写程序计费或者进行其它操作 status open***-status.log #和log一致,每次重新启动open***后保留原有的log信息,新信息追加到文件最后 log-append open***.log #相当于debug level,具体查看manual verb 4
18,拷贝证书**到指定的目录
[[email protected] open***]# cp /etc/open***/easy-rsa/2.0/keys/ca.crt ./keys [[email protected] open***]# cp /etc/open***/easy-rsa/2.0/keys/server.crt ./keys [[email protected] open***]# cp /etc/open***/easy-rsa/2.0/keys/server.key ./keys [[email protected] open***]# cp /etc/open***/easy-rsa/2.0/keys/dh1024.pem ./keys
19,修改系统参数
[[email protected] open***]# vi /etc/sysctl.conf net.ipv4.ip_forward = 1 [[email protected] open***]# sysctl -p
20,打开防火墙端口
[[email protected] open***]# iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE [[email protected] open***]# iptables -A INPUT -m state --state NEW -m udp -p udp --dport 1194 -j ACCEPT [[email protected] open***]# iptables -A FORWARD -s 10.8.0.0/24 -p udp --dport 1194 -j ACCEPT
21,保存防火墙
[[email protected] open***]# /etc/init.d/iptables save iptables:将防火墙规则保存到 /etc/sysconfig/iptables:[确定] [[email protected] open***]# /etc/init.d/iptables restart iptables:清除防火墙规则:[确定] iptables:将链设置为政策 ACCEPT:nat filter [确定] iptables:正在卸载模块:[确定] iptables:应用防火墙规则:[确定]
22,启动服务
[[email protected] open***]# open*** --config /etc/open***/server.conf & [1] 6748 Tue Mar 26 08:00:14 2013 us=869421 Current Parameter Settings: Tue Mar 26 08:00:14 2013 us=869572 config = '/etc/open***/server.conf' Tue Mar 26 08:00:14 2013 us=869601 mode = 1 Tue Mar 26 08:00:14 2013 us=869622 persist_config = DISABLED Tue Mar 26 08:00:14 2013 us=869655 persist_mode = 1 Tue Mar 26 08:00:14 2013 us=869688 show_ciphers = DISABLED Tue Mar 26 08:00:14 2013 us=869707 show_digests = DISABLED Tue Mar 26 08:00:14 2013 us=869726 show_engines = DISABLED Tue Mar 26 08:00:14 2013 us=869744 genkey = DISABLED Tue Mar 26 08:00:14 2013 us=869763 key_pass_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=869781 show_tls_ciphers = DISABLED Tue Mar 26 08:00:14 2013 us=869800 Connection profiles [default]: Tue Mar 26 08:00:14 2013 us=869821 proto = udp Tue Mar 26 08:00:14 2013 us=869840 local = '192.168.0.31' Tue Mar 26 08:00:14 2013 us=869872 local_port = 1194 Tue Mar 26 08:00:14 2013 us=869891 remote = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=869909 remote_port = 1194 Tue Mar 26 08:00:14 2013 us=869927 remote_float = DISABLED Tue Mar 26 08:00:14 2013 us=869945 bind_defined = DISABLED Tue Mar 26 08:00:14 2013 us=869963 bind_local = ENABLED Tue Mar 26 08:00:14 2013 us=869982 connect_retry_seconds = 5 Tue Mar 26 08:00:14 2013 us=870000 connect_timeout = 10 Tue Mar 26 08:00:14 2013 us=870018 connect_retry_max = 0 Tue Mar 26 08:00:14 2013 us=870037 socks_proxy_server = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=870069 socks_proxy_port = 0 Tue Mar 26 08:00:14 2013 us=870087 socks_proxy_retry = DISABLED Tue Mar 26 08:00:14 2013 us=870195 Connection profiles END Tue Mar 26 08:00:14 2013 us=870229 remote_random = DISABLED Tue Mar 26 08:00:14 2013 us=870249 ipchange = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=870268 dev = 'tun' Tue Mar 26 08:00:14 2013 us=870287 dev_type = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=870305 dev_node = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=870324 lladdr = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=870342 topology = 1 Tue Mar 26 08:00:14 2013 us=870361 tun_ipv6 = DISABLED Tue Mar 26 08:00:14 2013 us=870394 ifconfig_local = '10.8.0.1' Tue Mar 26 08:00:14 2013 us=870413 ifconfig_remote_netmask = '10.8.0.2' Tue Mar 26 08:00:14 2013 us=870433 ifconfig_noexec = DISABLED Tue Mar 26 08:00:14 2013 us=870452 ifconfig_nowarn = DISABLED Tue Mar 26 08:00:14 2013 us=870470 shaper = 0 Tue Mar 26 08:00:14 2013 us=870489 tun_mtu = 1500 Tue Mar 26 08:00:14 2013 us=870507 tun_mtu_defined = ENABLED Tue Mar 26 08:00:14 2013 us=870528 link_mtu = 1500 Tue Mar 26 08:00:14 2013 us=870548 link_mtu_defined = DISABLED Tue Mar 26 08:00:14 2013 us=870580 tun_mtu_extra = 0 Tue Mar 26 08:00:14 2013 us=870599 tun_mtu_extra_defined = DISABLED Tue Mar 26 08:00:14 2013 us=870618 fragment = 0 Tue Mar 26 08:00:14 2013 us=870637 mtu_discover_type = -1 Tue Mar 26 08:00:14 2013 us=870657 mtu_test = 0 Tue Mar 26 08:00:14 2013 us=870675 mlock = DISABLED Tue Mar 26 08:00:14 2013 us=870694 keepalive_ping = 10 Tue Mar 26 08:00:14 2013 us=870713 keepalive_timeout = 120 Tue Mar 26 08:00:14 2013 us=870732 inactivity_timeout = 0 Tue Mar 26 08:00:14 2013 us=870758 ping_send_timeout = 10 Tue Mar 26 08:00:14 2013 us=870781 ping_rec_timeout = 240 Tue Mar 26 08:00:14 2013 us=870801 ping_rec_timeout_action = 2 Tue Mar 26 08:00:14 2013 us=870819 ping_timer_remote = DISABLED Tue Mar 26 08:00:14 2013 us=870839 remap_sigusr1 = 0 Tue Mar 26 08:00:14 2013 us=870858 explicit_exit_notification = 0 Tue Mar 26 08:00:14 2013 us=870991 persist_tun = ENABLED Tue Mar 26 08:00:14 2013 us=871017 persist_local_ip = DISABLED Tue Mar 26 08:00:14 2013 us=871038 persist_remote_ip = DISABLED Tue Mar 26 08:00:14 2013 us=871057 persist_key = ENABLED Tue Mar 26 08:00:14 2013 us=871076 mssfix = 1450 Tue Mar 26 08:00:14 2013 us=871095 passtos = DISABLED Tue Mar 26 08:00:14 2013 us=871159 resolve_retry_seconds = 1000000000 Tue Mar 26 08:00:14 2013 us=871183 username = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871215 groupname = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871234 chroot_dir = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871252 cd_dir = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871270 selinux_context = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871288 writepid = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871306 up_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871324 down_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871356 down_pre = DISABLED Tue Mar 26 08:00:14 2013 us=871374 up_restart = DISABLED Tue Mar 26 08:00:14 2013 us=871392 up_delay = DISABLED Tue Mar 26 08:00:14 2013 us=871423 daemon = DISABLED Tue Mar 26 08:00:14 2013 us=871441 inetd = 0 Tue Mar 26 08:00:14 2013 us=871459 log = DISABLED Tue Mar 26 08:00:14 2013 us=871491 suppress_timestamps = DISABLED Tue Mar 26 08:00:14 2013 us=871523 nice = 0 Tue Mar 26 08:00:14 2013 us=871540 verbosity = 4 Tue Mar 26 08:00:14 2013 us=871558 mute = 0 Tue Mar 26 08:00:14 2013 us=871590 gremlin = 0 Tue Mar 26 08:00:14 2013 us=871608 status_file = 'open***-status.log' Tue Mar 26 08:00:14 2013 us=871626 status_file_version = 1 Tue Mar 26 08:00:14 2013 us=871644 status_file_update_freq = 60 Tue Mar 26 08:00:14 2013 us=871662 occ = ENABLED Tue Mar 26 08:00:14 2013 us=871693 rcvbuf = 65536 Tue Mar 26 08:00:14 2013 us=871711 sndbuf = 65536 Tue Mar 26 08:00:14 2013 us=871743 sockflags = 0 Tue Mar 26 08:00:14 2013 us=871760 fast_io = DISABLED Tue Mar 26 08:00:14 2013 us=871792 lzo = 7 Tue Mar 26 08:00:14 2013 us=871817 route_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871837 route_default_gateway = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=871856 route_default_metric = 0 Tue Mar 26 08:00:14 2013 us=871874 route_noexec = DISABLED Tue Mar 26 08:00:14 2013 us=871893 route_delay = 0 Tue Mar 26 08:00:14 2013 us=871911 route_delay_window = 30 Tue Mar 26 08:00:14 2013 us=871929 route_delay_defined = DISABLED Tue Mar 26 08:00:14 2013 us=871946 route_nopull = DISABLED Tue Mar 26 08:00:14 2013 us=871978 route_gateway_via_dhcp = DISABLED Tue Mar 26 08:00:14 2013 us=871997 max_routes = 100 Tue Mar 26 08:00:14 2013 us=872015 allow_pull_fqdn = DISABLED Tue Mar 26 08:00:14 2013 us=872034 route 10.8.0.0/255.255.255.0/nil/nil Tue Mar 26 08:00:14 2013 us=872053 management_addr = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872072 management_port = 0 Tue Mar 26 08:00:14 2013 us=872090 management_user_pass = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872233 management_log_history_cache = 250 Tue Mar 26 08:00:14 2013 us=872267 management_echo_buffer_size = 100 Tue Mar 26 08:00:14 2013 us=872287 management_write_peer_info_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872340 management_client_user = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872372 management_client_group = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872393 management_flags = 0 Tue Mar 26 08:00:14 2013 us=872412 shared_secret_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872430 key_direction = 0 Tue Mar 26 08:00:14 2013 us=872450 ciphername_defined = ENABLED Tue Mar 26 08:00:14 2013 us=872469 ciphername = 'BF-CBC' Tue Mar 26 08:00:14 2013 us=872488 authname_defined = ENABLED Tue Mar 26 08:00:14 2013 us=872506 authname = 'SHA1' Tue Mar 26 08:00:14 2013 us=872526 prng_hash = 'SHA1' Tue Mar 26 08:00:14 2013 us=872546 prng_nonce_secret_len = 16 Tue Mar 26 08:00:14 2013 us=872578 keysize = 0 Tue Mar 26 08:00:14 2013 us=872597 engine = DISABLED Tue Mar 26 08:00:14 2013 us=872616 replay = ENABLED Tue Mar 26 08:00:14 2013 us=872634 mute_replay_warnings = DISABLED Tue Mar 26 08:00:14 2013 us=872654 replay_window = 64 Tue Mar 26 08:00:14 2013 us=872672 replay_time = 15 Tue Mar 26 08:00:14 2013 us=872691 packet_id_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872710 use_iv = ENABLED Tue Mar 26 08:00:14 2013 us=872742 test_crypto = DISABLED Tue Mar 26 08:00:14 2013 us=872762 tls_server = ENABLED Tue Mar 26 08:00:14 2013 us=872780 tls_client = DISABLED Tue Mar 26 08:00:14 2013 us=872800 key_method = 2 Tue Mar 26 08:00:14 2013 us=872819 ca_file = '/etc/open***/keys/ca.crt' Tue Mar 26 08:00:14 2013 us=872838 ca_path = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=872858 dh_file = '/etc/open***/keys/dh1024.pem' Tue Mar 26 08:00:14 2013 us=872974 cert_file = '/etc/open***/keys/server.crt' Tue Mar 26 08:00:14 2013 us=872999 priv_key_file = '/etc/open***/keys/server.key' Tue Mar 26 08:00:14 2013 us=873020 pkcs12_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873040 cipher_list = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873060 tls_verify = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873080 tls_export_cert = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873100 tls_remote = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873163 crl_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873185 ns_cert_type = 0 Tue Mar 26 08:00:14 2013 us=873204 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873223 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873243 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873328 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873357 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873376 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873395 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873466 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873496 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873516 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873536 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873555 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873574 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873593 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873613 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873631 remote_cert_ku[i] = 0 Tue Mar 26 08:00:14 2013 us=873650 remote_cert_eku = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=873730 tls_timeout = 2 Tue Mar 26 08:00:14 2013 us=873760 renegotiate_bytes = 0 Tue Mar 26 08:00:14 2013 us=873779 renegotiate_packets = 0 Tue Mar 26 08:00:14 2013 us=873812 renegotiate_seconds = 3600 Tue Mar 26 08:00:14 2013 us=873873 handshake_window = 60 Tue Mar 26 08:00:14 2013 us=873893 transition_window = 3600 Tue Mar 26 08:00:14 2013 us=873912 single_session = DISABLED Tue Mar 26 08:00:14 2013 us=873931 push_peer_info = DISABLED Tue Mar 26 08:00:14 2013 us=873963 tls_exit = DISABLED Tue Mar 26 08:00:14 2013 us=874023 tls_auth_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874056 server_network = 10.8.0.0 Tue Mar 26 08:00:14 2013 us=874078 server_netmask = 255.255.255.0 Tue Mar 26 08:00:14 2013 us=874190 server_bridge_ip = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874222 server_bridge_netmask = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874243 server_bridge_pool_start = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874263 server_bridge_pool_end = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874282 push_entry = '“dhcp-option DNS 202.106.0.20"' Tue Mar 26 08:00:14 2013 us=874315 push_entry = 'route 192.168.0.0 255.255.255.0' Tue Mar 26 08:00:14 2013 us=874334 push_entry = 'route 10.8.0.0 255.255.255.0' Tue Mar 26 08:00:14 2013 us=874353 push_entry = 'topology net30' Tue Mar 26 08:00:14 2013 us=874371 push_entry = 'ping 10' Tue Mar 26 08:00:14 2013 us=874389 push_entry = 'ping-restart 120' Tue Mar 26 08:00:14 2013 us=874407 ifconfig_pool_defined = ENABLED Tue Mar 26 08:00:14 2013 us=874440 ifconfig_pool_start = 10.8.0.4 Tue Mar 26 08:00:14 2013 us=874461 ifconfig_pool_end = 10.8.0.251 Tue Mar 26 08:00:14 2013 us=874481 ifconfig_pool_netmask = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874499 ifconfig_pool_persist_filename = 'ipp.txt' Tue Mar 26 08:00:14 2013 us=874518 ifconfig_pool_persist_refresh_freq = 600 Tue Mar 26 08:00:14 2013 us=874537 n_bcast_buf = 256 Tue Mar 26 08:00:14 2013 us=874569 tcp_queue_limit = 64 Tue Mar 26 08:00:14 2013 us=874600 real_hash_size = 256 Tue Mar 26 08:00:14 2013 us=874618 virtual_hash_size = 256 Tue Mar 26 08:00:14 2013 us=874650 client_connect_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874668 learn_address_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874686 client_disconnect_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874705 client_config_dir = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874723 ccd_exclusive = DISABLED Tue Mar 26 08:00:14 2013 us=874741 tmp_dir = '/tmp' Tue Mar 26 08:00:14 2013 us=874772 push_ifconfig_defined = DISABLED Tue Mar 26 08:00:14 2013 us=874792 push_ifconfig_local = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874825 push_ifconfig_remote_netmask = 0.0.0.0 Tue Mar 26 08:00:14 2013 us=874844 enable_c2c = ENABLED Tue Mar 26 08:00:14 2013 us=874861 duplicate_cn = DISABLED Tue Mar 26 08:00:14 2013 us=874879 cf_max = 0 Tue Mar 26 08:00:14 2013 us=874897 cf_per = 0 Tue Mar 26 08:00:14 2013 us=874915 max_clients = 1024 Tue Mar 26 08:00:14 2013 us=874932 max_routes_per_client = 256 Tue Mar 26 08:00:14 2013 us=874950 auth_user_pass_verify_script = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=874975 auth_user_pass_verify_script_via_file = DISABLED Tue Mar 26 08:00:14 2013 us=874997 ssl_flags = 0 Tue Mar 26 08:00:14 2013 us=875015 port_share_host = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=875034 port_share_port = 0 Tue Mar 26 08:00:14 2013 us=875052 client = DISABLED Tue Mar 26 08:00:14 2013 us=875070 pull = DISABLED Tue Mar 26 08:00:14 2013 us=875088 auth_user_pass_file = '[UNDEF]' Tue Mar 26 08:00:14 2013 us=875173 Open××× 2.2.2 x86_64-unknown-linux-gnu [SSL] [LZO2] [EPOLL] [eurephia] built on Mar 26 2013 Tue Mar 26 08:00:14 2013 us=876314 NOTE: your local LAN uses the extremely common subnet address 192.168.0.x or 192.168.1.x. Be aware that this might create routing conflicts if you connect to the ××× server from public locations such as internet cafes that use the same subnet. Tue Mar 26 08:00:14 2013 us=876364 NOTE: Open××× 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Tue Mar 26 08:00:14 2013 us=881199 Diffie-Hellman initialized with 1024 bit key Tue Mar 26 08:00:14 2013 us=882727 TLS-Auth MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Tue Mar 26 08:00:14 2013 us=889852 Socket Buffers: R=[124928->131072] S=[124928->131072] Tue Mar 26 08:00:14 2013 us=891614 ROUTE default_gateway=192.168.0.1 Tue Mar 26 08:00:15 2013 us=50987 TUN/TAP device tun0 opened Tue Mar 26 08:00:15 2013 us=52234 TUN/TAP TX queue length set to 100 Tue Mar 26 08:00:15 2013 us=52345 /sbin/ifconfig tun0 10.8.0.1 pointopoint 10.8.0.2 mtu 1500 Tue Mar 26 08:00:15 2013 us=67991 /sbin/route add -net 10.8.0.0 netmask 255.255.255.0 gw 10.8.0.2 Tue Mar 26 08:00:15 2013 us=70417 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Tue Mar 26 08:00:15 2013 us=70510 UDPv4 link local (bound): 192.168.0.31:1194 Tue Mar 26 08:00:15 2013 us=70552 UDPv4 link remote: [undef] Tue Mar 26 08:00:15 2013 us=70583 MULTI: multi_init called, r=256 v=256 Tue Mar 26 08:00:15 2013 us=70685 IFCONFIG POOL: base=10.8.0.4 size=62 Tue Mar 26 08:00:15 2013 us=70756 IFCONFIG POOL LIST Tue Mar 26 08:00:15 2013 us=70822 Initialization Sequence Completed
三,客户端配置
1,安装客户端软件
2,把ca.crt、client1.crt和client1.key三个文件拷贝到Open×××安装路径下的\config目录里
3,编辑open***.o***文件
client dev tun proto udp remote 180.xx.xx.xx 1194 #公司公网地址,在路由器里打开端口映射 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert client1.crt key client1.key ns-cert-type server comp-lzo verb 4
4,点击桌面图标右键连接
5,查看获取的IP
6,ping内部网关
成功接入内网。
转载于:https://blog.51cto.com/charlie928/1226503